diff options
Diffstat (limited to '')
-rw-r--r-- | scripts/http-wordpress-enum.nse | 299 |
1 files changed, 299 insertions, 0 deletions
diff --git a/scripts/http-wordpress-enum.nse b/scripts/http-wordpress-enum.nse new file mode 100644 index 0000000..35d7a2a --- /dev/null +++ b/scripts/http-wordpress-enum.nse @@ -0,0 +1,299 @@ +local coroutine = require "coroutine" +local http = require "http" +local io = require "io" +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local table = require "table" + +description = [[ +Enumerates themes and plugins of Wordpress installations. The script can also detect + outdated plugins by comparing version numbers with information pulled from api.wordpress.org. + +The script works with two separate databases for themes (wp-themes.lst) and plugins (wp-plugins.lst). +The databases are sorted by popularity and the script will search only the top 100 entries by default. +The theme database has around 32,000 entries while the plugin database has around 14,000 entries. + +The script determines the version number of a plugin by looking at the readme.txt file inside the plugin +directory and it uses the file style.css inside a theme directory to determine the theme version. +If the script argument check-latest is set to true, the script will query api.wordpress.org to obtain +the latest version number available. This check is disabled by default since it queries an external service. + +This script is a combination of http-wordpress-plugins.nse and http-wordpress-themes.nse originally +submited by Ange Gutek and Peter Hill. + +TODO: +-Implement version checking for themes. +]] + +--- +-- @see http-vuln-cve2014-8877.nse +-- +-- @usage nmap -sV --script http-wordpress-enum <target> +-- @usage nmap --script http-wordpress-enum --script-args check-latest=true,search-limit=10 <target> +-- @usage nmap --script http-wordpress-enum --script-args type="themes" <target> +-- +-- @args http-wordpress-enum.root Base path. By default the script will try to find a WP directory +-- installation or fall back to '/'. +-- @args http-wordpress-enum.search-limit Number of entries or the string "all". Default:100. +-- @args http-wordpress-enum.type Search type. Available options:plugins, themes or all. Default:all. +-- @args http-wordpress-enum.check-latest Retrieves latest plugin version information from wordpress.org. +-- Default:false. +-- +-- @output +-- PORT STATE SERVICE +-- 80/tcp open http +-- | http-wordpress-enum: +-- | Search limited to top 100 themes/plugins +-- | plugins +-- | akismet +-- | contact-form-7 4.1 (latest version:4.1) +-- | all-in-one-seo-pack (latest version:2.2.5.1) +-- | google-sitemap-generator 4.0.7.1 (latest version:4.0.8) +-- | jetpack 3.3 (latest version:3.3) +-- | wordfence 5.3.6 (latest version:5.3.6) +-- | better-wp-security 4.6.4 (latest version:4.6.6) +-- | google-analytics-for-wordpress 5.3 (latest version:5.3) +-- | themes +-- | twentytwelve +-- |_ twentyfourteen +-- +-- @xmloutput +-- <table key="google-analytics-for-wordpress"> +-- <elem key="installation_version">5.1</elem> +-- <elem key="latest_version">5.3</elem> +-- <elem key="name">google-analytics-for-wordpress</elem> +-- <elem key="path">/wp-content/plugins/google-analytics-for-wordpress/</elem> +-- <elem key="category">plugins</elem> +-- </table> +-- <table key="twentytwelve"> +-- <elem key="category">themes</elem> +-- <elem key="path">/wp-content/themes/twentytwelve/</elem> +-- <elem key="name">twentytwelve</elem> +-- </table> +-- <elem key="title">Search limited to top 100 themes/plugins</elem> +--- + +author = {"Ange Gutek", "Peter Hill", "Gyanendra Mishra", "Paulino Calderon"} + +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" + +categories = {"discovery", "intrusive"} + +local DEFAULT_SEARCH_LIMIT = 100 +local DEFAULT_PLUGINS_PATH = '/wp-content/plugins/' +local WORDPRESS_API_URL = 'http://api.wordpress.org/plugins/info/1.0/' + +portrule = shortport.http + +--Reads database +local function read_data_file(file) + return coroutine.wrap(function() + for line in file:lines() do + if not line:match("^%s*#") and not line:match("^%s*$") then + coroutine.yield(line) + end + end + end) +end + +--Checks if the plugin/theme file exists +local function existence_check_assign(act_file) + if not act_file then + return false + end + local temp_file = io.open(act_file,"r") + if not temp_file then + return false + end + return temp_file + end + +--Obtains version from readme.txt or style.css +local function get_version(path, typeof, host, port) + local pattern, version, versioncheck + + if typeof == 'plugins' then + path = path .. "readme.txt" + pattern = 'Stable tag: ([.0-9]*)' + else + path = path .. "style.css" + pattern = 'Version: ([.0-9]*)' + end + + stdnse.debug1("Extracting version of path:%s", path) + versioncheck = http.get(host, port, path) + if versioncheck.body then + version = versioncheck.body:match(pattern) + end + stdnse.debug1("Version found: %s", version) + return version +end + +-- check if the plugin is the latest +local function get_latest_plugin_version(plugin) + stdnse.debug1("Retrieving the latest version of %s", plugin) + local apiurl = WORDPRESS_API_URL .. plugin .. ".json" + local latestpluginapi = http.get('api.wordpress.org', '80', apiurl) + local latestpluginpattern = '","version":"([.0-9]*)' + local latestpluginversion = latestpluginapi.body:match(latestpluginpattern) + stdnse.debug1("Latest version:%s", latestpluginversion) + return latestpluginversion +end + +action = function(host, port) + + local result = {} + local file = {} + local all = {} + local bfqueries = {} + local wp_autoroot + local output_table = stdnse.output_table() + + --Read script arguments + local operation_type_arg = stdnse.get_script_args(SCRIPT_NAME .. ".type") or "all" + local apicheck = stdnse.get_script_args(SCRIPT_NAME .. ".check-latest") + local wp_root = stdnse.get_script_args(SCRIPT_NAME .. ".root") + local resource_search_arg = stdnse.get_script_args(SCRIPT_NAME .. ".search-limit") or DEFAULT_SEARCH_LIMIT + + local wp_themes_file = nmap.fetchfile("nselib/data/wp-themes.lst") + local wp_plugins_file = nmap.fetchfile("nselib/data/wp-plugins.lst") + + if operation_type_arg == "themes" or operation_type_arg == "all" then + local theme_db = existence_check_assign(wp_themes_file) + if not theme_db then + return false, "Couldn't find wp-themes.lst in /nselib/data/" + else + file['themes'] = theme_db + end + end + if operation_type_arg == "plugins" or operation_type_arg == "all" then + local plugin_db = existence_check_assign(wp_plugins_file) + if not plugin_db then + return false, "Couldn't find wp-plugins.lst in /nselib/data/" + else + file['plugins'] = plugin_db + end + end + + local resource_search + if resource_search_arg == "all" then + resource_search = nil + else + resource_search = tonumber(resource_search_arg) + end + + -- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests + local status_404, result_404, known_404 = http.identify_404(host,port) + if ( status_404 and result_404 == 200 ) then + stdnse.debug1("Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", host.ip, port.number) + return nil + end + + -- search the website root for evidences of a Wordpress path + if not wp_root then + local target_index = http.get(host,port, "/") + + if target_index.status and target_index.body then + wp_autoroot = string.match(target_index.body, "http://[%w%-%.]-/([%w%-%./]-)wp%-content") + if wp_autoroot then + wp_autoroot = "/" .. wp_autoroot + stdnse.debug(1,"WP root directory: %s", wp_autoroot) + else + stdnse.debug(1,"WP root directory: wp_autoroot was unable to find a WP content dir (root page returns %d).", target_index.status) + end + end + end + + --build a table of both directories to brute force and the corresponding WP resources' name + local resource_count=0 + for key,value in pairs(file) do + local l_file = value + resource_count = 0 + for line in read_data_file(l_file) do + if resource_search and resource_count >= resource_search then + break + end + + local target + if wp_root then + -- Give user-supplied argument the priority + target = wp_root .. string.gsub(DEFAULT_PLUGINS_PATH, "plugins", key) .. line .. "/" + elseif wp_autoroot then + -- Maybe the script has discovered another Wordpress content directory + target = wp_autoroot .. string.gsub(DEFAULT_PLUGINS_PATH, "plugins", key) .. line .. "/" + else + -- Default WP directory is root + target = string.gsub(DEFAULT_PLUGINS_PATH, "plugins", key) .. line .. "/" + end + + + target = string.gsub(target, "//", "/") + table.insert(bfqueries, {target, line}) + all = http.pipeline_add(target, nil, all, "GET") + resource_count = resource_count + 1 + + end + -- release hell... + local pipeline_returns = http.pipeline_go(host, port, all) + if not pipeline_returns then + stdnse.verbose1("got no answers from pipelined queries") + return nil + end + local response = {} + response['name'] = key + for i, data in pairs(pipeline_returns) do + -- if it's not a four-'o-four, it probably means that the plugin is present + if http.page_exists(data, result_404, known_404, bfqueries[i][1], true) then + stdnse.debug(1,"Found a plugin/theme:%s", bfqueries[i][2]) + local version = get_version(bfqueries[i][1],key,host,port) + local output = nil + + --We format the table for XML output + bfqueries[i].path = bfqueries[i][1] + bfqueries[i].category = key + bfqueries[i].name = bfqueries[i][2] + bfqueries[i][1] = nil + bfqueries[i][2] = nil + + if version then + output = bfqueries[i].name .." ".. version + bfqueries[i].installation_version = version + --Right now we can only get the version number of plugins through api.wordpress.org + if apicheck == "true" and key=="plugins" then + local latestversion = get_latest_plugin_version(bfqueries[i].name) + if latestversion then + output = output .. " (latest version:" .. latestversion .. ")" + bfqueries[i].latest_version = latestversion + end + end + else + output = bfqueries[i].name + end + output_table[bfqueries[i].name] = bfqueries[i] + table.insert(response, output) + end + end + table.insert(result, response) + bfqueries={} + all = {} + +end + local len = 0 + for i, v in ipairs(result) do len = len >= #v and len or #v end + if len > 0 then + output_table.title = string.format("Search limited to top %s themes/plugins", resource_count) + result.name = output_table.title + return output_table, stdnse.format_output(true, result) + else + if nmap.verbosity()>1 then + return string.format("Nothing found amongst the top %s resources,".. + "use --script-args search-limit=<number|all> for deeper analysis)", resource_count) + else + return nil + end + end + +end + |